Sunday, 28 October 2012

Hacking WebServer : Brute Forcing

Hello Friends.
                      Today I am going to show you how to develop a word list and use brute force the login authentication to access certain directory in web server.

Basic Things Required
1.Java SDK and JRE [this will be required to develop the word list. ]
2.Any IDE like BlueJ or NetBeans or Eclipse . You can use notepad but you need to compile that manually.It is not necessary you need to create word list using Java only.You can use any programming language you feel comfortable. 
3.Brutus or THC Hydra [Brute Force tools]

CAUTION
"This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.Sometimes (rarely although) performing Brute Force attacks can lead do DOS attacks. To prevent this sometimes system admin keeps tracks of the incoming connections . If they find that too many requests are being sent from a particular IP then they block that IP for sometime, sometimes even Bans them. Some web servers also deploy IDS in their web server to prevent brute force attacks . Performing this technique is completely illegal."


Word List Generator Source Code
Here is a small code written in Java that can be used to create a simple 2 lettered word list.

*******************Code Starts Below This Line************************

public class WordList{
    public static void main(String args[]){
        for(int i=0;i<26;i++){
            for(int j=0;j<26;j++){
                char c1=(char)('a'+i);
                char c2=(char)('a'+j);
                 System.out.println(c1+""+c2);
            }
        }
    }
}
**************************Code Ends Above This Line*******************
  • You can manually compile the code by saving it in a file having  same name as the class name and having  extension an extension .java. Compile it by using the command
          javac WordList.java

         And execute it by 

          java WordList.class

  • Find the directory that requires the login username and password.



  • Now that You have got the directory that requires credentials, try to access it and you will find a prompt asking for credentials.



  • Now here 2 different cases can arise. Sometimes username is already provided and you need to provide password only and sometimes neither are provided. If you don't find the username then you need to create different word list for username.Now its time for Brutus to play his role.
  • Perform the details I provided in this image. Sometimes you need to customize  the settings it in a different way.


After Brutus provides a positive result you can enter the username and password at the login prompt and access the directory.

#################################################################################